TippingPoint, a division of networking giant 3Com, plans to pay researchers for information about unannounced vulnerabilities in major systems and software and will add bonuses for prolific flaw finders, the company announced on Monday.


There is already an evolving market around zero-day vulnerabilities--not just the public one, but in the underground. There are groups in Eastern Europe that would love to get their hands on these zero-day vulnerabilities in order to make more effective spyware and phishing attacks.


David Endler, director of security research, 3Com

TippingPoint, a division of networking giant 3Com, plans to pay researchers for information about unannounced vulnerabilities in major systems and software and will add bonuses for prolific flaw finders, the company announced on Monday.

Under the program, dubbed the Zero Day Initiative (ZDI), researchers will submit details of security bugs to 3Com and the company will make offers to become the exclusive owner of the information. The networking giant will use the information to provide early protection to its customers and also work with the affected product's maker to fix the vulnerability.

"This program is unique in that it is using the information to protect customers--it's not reselling the information," said David Endler, director of security research of 3Com's TippingPoint division. "And, it's giving the information for free to vendors whose products are affected."

Part bug bounty, part loyalty-rewards program, the Zero Day Initiative refines previous plans started by other companies to reward researchers for exclusive information on vulnerabilities.

Security information provider iDefense, now a subsidiary of VeriSign, established the Vulnerability Contributor Program to offer researchers cash for details about undisclosed flaws. Established in August 2002, the controversial plan has fueled debate on the question of responsible disclosure. Later, additional incentives added cash bonuses to the top contributors every quarter and year as well as rewards for referring other researchers.

The Mozilla Foundation has offered a bounty, but only for serious bugs found in its own open-source browser. Microsoft created perhaps the most famous bounty program in the security industry, but not for bugs. In August 2003, the software giant created a $5 million fund to pay for information on attackers that release certain Internet worms and viruses. The bounty is credited with leading authorities to the creator of the Sasser worm, Sven Jaschan, who has been convicted of the crime.

Such programs have become less controversial over time, said Carole Theriault, a security consultant for antivirus firm Sophos.

"Microsoft offered a bounty, and I thought, 'This is Wild West here,' but they got arrests," she said. "I don't think it is wrong to do. If someone finds something of value, then they should get paid for it."

Under 3Com's program, researchers will sign up for an account on the ZDI's portal site, which will launch on August 15. Vulnerabilities submitted to the company through the portal will be evaluated and the company will then make an offer to the flaw finder. If the researcher accepts the offer, then 3Com will own exclusive rights to the information.

Moreover, 3Com will offer additional awards to prolific bug hunters, granting them bronze, silver, gold or platinum status based on how many flaws they find. The company plans to use a point system, reminiscent of frequent flier programs, to track the productivity of researchers.

In all, the program is a major initiative, 3Com's Endler said.

"We have invested a lot of resources--not just monetarily, but in terms of head count--to ensure its success," Endler said.

3Com plans to use flaw information to give its customers early protection against any attacks that might use the vulnerability. The company will obfuscate such updates, including countermeasures to prevent reverse engineering, to make it more difficult for information about the flaw to leak out early

The company will have to take care to protect the information, because of its value to potential attackers, Endler said.

"There is already an evolving market around zero-day vulnerabilities--not just the public one, but in the underground," he said. "There are groups in Eastern Europe that would love to get their hands on these zero-day vulnerabilities in order to make more effective spyware and phishing attacks."

That's not the only groups that find such information valuable. Before he went to TippingPoint, Endler helped create the iDefense vulnerability-buying program. The fact that he is creating a new service at a different company speaks volumes about the value of such connections to researchers and of the database of private vulnerabilities.

The economic benefit to the creators of such programs may lead to even more companies establishing their own vulnerability-buying programs, Sophos's Theriault said.

"It looks like--at the moment--that individual companies are doing these programs and they are individually paying for the information, but other players in the security industry may join together to pay for vulnerabilities in order to compete," she said.

3Com intends to publicize the new program at the Black Hat Briefings and at the subsequent DEF CON hacker convention, according to an e-mail announcing the Zero Day Initiative. Both events take place in Las Vegas this week.

This article was updated with additional comments from 3Com's David Endler. The original article posted at 6 a.m. PST.